Browse Source

Merge pull request #9993 from Chocobo1/referer

Enforce referrer-policy in WebUI
adaptive-webui-19844
Mike Tzou 6 years ago committed by GitHub
parent
commit
deed457764
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 1
      src/base/http/types.h
  2. 27
      src/webui/webapplication.cpp
  3. 1
      src/webui/webapplication.h

1
src/base/http/types.h

@ -52,6 +52,7 @@ namespace Http
const char HEADER_HOST[] = "host"; const char HEADER_HOST[] = "host";
const char HEADER_ORIGIN[] = "origin"; const char HEADER_ORIGIN[] = "origin";
const char HEADER_REFERER[] = "referer"; const char HEADER_REFERER[] = "referer";
const char HEADER_REFERRER_POLICY[] = "referrer-policy";
const char HEADER_SET_COOKIE[] = "set-cookie"; const char HEADER_SET_COOKIE[] = "set-cookie";
const char HEADER_X_CONTENT_TYPE_OPTIONS[] = "x-content-type-options"; const char HEADER_X_CONTENT_TYPE_OPTIONS[] = "x-content-type-options";
const char HEADER_X_FORWARDED_HOST[] = "x-forwarded-host"; const char HEADER_X_FORWARDED_HOST[] = "x-forwarded-host";

27
src/webui/webapplication.cpp

@ -457,6 +457,13 @@ void WebApplication::configure()
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled(); m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled(); m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled();
m_isHttpsEnabled = pref->isWebUiHttpsEnabled(); m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
m_contentSecurityPolicy =
(m_isAltUIUsed
? QLatin1String("")
: QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';"))
+ (m_isClickjackingProtectionEnabled ? QLatin1String(" frame-ancestors 'self';") : QLatin1String(""))
+ (m_isHttpsEnabled ? QLatin1String(" upgrade-insecure-requests;") : QLatin1String(""));
} }
void WebApplication::registerAPIController(const QString &scope, APIController *controller) void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@ -559,19 +566,17 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
print(error.message(), Http::CONTENT_TYPE_TXT); print(error.message(), Http::CONTENT_TYPE_TXT);
} }
header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block"); header(QLatin1String(Http::HEADER_X_XSS_PROTECTION), QLatin1String("1; mode=block"));
header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff"); header(QLatin1String(Http::HEADER_X_CONTENT_TYPE_OPTIONS), QLatin1String("nosniff"));
QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';"); if (m_isClickjackingProtectionEnabled)
if (m_isClickjackingProtectionEnabled) { header(QLatin1String(Http::HEADER_X_FRAME_OPTIONS), QLatin1String("SAMEORIGIN"));
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
csp += QLatin1String(" frame-ancestors 'self';"); if (!m_isAltUIUsed)
} header(QLatin1String(Http::HEADER_REFERRER_POLICY), QLatin1String("same-origin"));
if (m_isHttpsEnabled) {
csp += QLatin1String(" upgrade-insecure-requests;");
}
header(Http::HEADER_CONTENT_SECURITY_POLICY, csp); if (!m_contentSecurityPolicy.isEmpty())
header(QLatin1String(Http::HEADER_CONTENT_SECURITY_POLICY), m_contentSecurityPolicy);
return response(); return response();
} }

1
src/webui/webapplication.h

@ -157,4 +157,5 @@ private:
bool m_isCSRFProtectionEnabled; bool m_isCSRFProtectionEnabled;
bool m_isHostHeaderValidationEnabled; bool m_isHostHeaderValidationEnabled;
bool m_isHttpsEnabled; bool m_isHttpsEnabled;
QString m_contentSecurityPolicy;
}; };

Loading…
Cancel
Save